A Parallel Password-Authenticated Key Exchange Protocol for Wireless Environments
Jung-Wen Lo
National Chung Hsing University, Department of Computer Science and Engineering 250 Kuo Kuang Road, Taichung, Taiwan 402, R.O.C.
National Taichung Institute of Technology, Department of Information Management 129 Sec. 3, San-min Rd., Taichung, Taiwan 413, R.O.C.
Shu-Chen Lin
Chaoyang University of Technology, Department of Information Management 168 Gifeng E. Rd., Wufeng, Taichung County Taiwan 413, R.O.C.
Min-Shiang Hwang
National Chung Hsing University, Department of Management Information Systems 250 Kuo Kuang Road, Taichung, Taiwan 402, R.O.C.
e-mail: [email protected]
Abstract. Keeping the communication security between two parties and reducing the computations are important issues, especially in a wireless network environment. Based on the most suitable protocol for wireless communication, we propose a novel parallel key exchange protocol to reduce the waiting time in this paper.
Key words:authenticated key exchange, elliptic curve discrete logarithm, key agreement, password authentication, wireless network.
1. Introduction
The Internet is widely used in the world and has influenced people’s daily lives tremendously. It is a kind of open environments, so the secret information has the possibility to be wiretapped by the malevo-lent third party. Therefore, to ensure the information securely transmitted over the Internet is an important issue. Cryptography technique is adopted to protect the data integrity and to authenticate the validity of the identity. However, the security guarantee is more difficult in the wireless environments.
The Diffie-Hellman key agreement [1] was pro-posed for sharing the common session key between two parties in 1976. However, it cannot withstand the man-in-the-middle attacks, because it does not provide the mutual authentication [2–4]. To enhance Diffie-Hellman key agreement, the password-authenti-cated key exchange (PAKE) schemes were proposed [5–11]. Two parties pre-share a weak password (hu-man-memorable password) to authenticate each other and then generate a session key to protect their com-munication over a public network.
The off-line guessing attacks in the password-authenticated key agreement protocol were
consid-tocol combines with the public-key cryptography and the secret-key cryptography that permits two parties to exchange the secret information over an insecure network by a sharing password. In 2001, Goldre-ich and Lindell implemented their protocol by us-ing many techniques, such as multi-party computa-tion, secure polynomial evaluations, and the zero-knowledge proof [7]. Hence, their protocol is too inefficient to use in the realistic world. Later, Katz et al. proposed a more efficient protocol based on the Goldreich-Lindell’s protocol, but it still consumes large communication costs and computation costs [9]. Kobara and Imai proposed a pretty-simple PAKE protocol in 2002 [12]. The two communication par-ties use the pre-shared password to authenticate each other. They claimed that their protocol is efficient in terms of communications and computations. How-ever, when their protocol is applied to the wireless environment, it is limited due to the restriction of stor-age and battery power of the mobile devices.
In a wireless network environment, the resources are limited, such as processing power, storage space, and electrical power. The elliptic curve cryptography (ECC) uses a smaller key length and less computation
ISSN 1392 – 124X INFORMATION TECHNOLOGY AND CONTROL, 2010, Vol. 39, No. 2
A PARALLEL PASSWORD-AUTHENTICATED KEY EXCHANGE
PROTOCOL FOR WIRELESS ENVIRONMENTS
Jung-Wen Lo
National Chung Hsing University, Department of Computer Science and Engineering 250 Kuo Kuang Road, Taichung, Taiwan 402, R.O.C.
National Taichung Institute of Technology, Department of Information Management 129 Sec. 3, San-min Rd., Taichung, Taiwan 413, R.O.C.
Shu-Chen Lin
Chaoyang University of Technology, Department of Information Management 168 Gifeng E. Rd., Wufeng, Taichung County Taiwan 413, R.O.C.
Min-Shiang Hwang
National Chung Hsing University, Department of Management Information Systems 250 Kuo Kuang Road, Taichung, Taiwan 402, R.O.C.
e-mail: [email protected]
Abstract. Keeping the communication security between two parties and reducing the computations are important issues, especially in a wireless network environment. Based on the most suitable protocol for wireless communication, we propose a novel parallel key exchange protocol to reduce the waiting time in this paper.
cryptography. For example, the 160 bits key-length of ECC has almost the same level of security as the 1024 bits key-length of RSA [13, 14]. Therefore, the ECC is very suitable for using in wireless device, such as the cellular phones and PDAs [15, 16]. In 2004, Chang et al. improved Kobara-Imai’s protocol for the wireless network environment [17]. Their protocol is based on the elliptic curve discrete logarithm prob-lem (ECDLP) and has the benefit of the key block size, speed and security. In 2005, Sui et al. proposed an authenticated key agreement protocol which has a perfect forward secrecy solution for wireless mo-bile communication [18]. Lu et al. found that Sui et al.’s protocol had an off-line password guessing attack problem, so they proposed an improved authenticated key agreement protocol in 2007.
Due to the evolution of computer technology, we propose a parallel password-authenticated key ex-change (PPAKE) protocol based on Chang et al.’s pro-tocol to reduce the waiting time for synchronous envi-ronments. The remainder of our paper is organized as follows. In the next section, we introduce the Chang et al.’s protocols. In Section 3, the proposed parallel protocol is introduced. We have the discussion and security analysis in Section 4. Finally, we give a brief conclusion in Section 5.
2. Review of Chang et al.’s Protocol
In the wireless environment, the ability of com-putation and battery power in mobile devices is lim-ited. More computations and transmissions will re-sult in great consumption on the battery power of the client. Therefore, it is an important issue to reduce the quantity of computation and transmitting data for a client. The Chang et al.’s protocol is pretty suitable for the wireless environments [17].
The symbols used in this paper are listed as fol-lows.
• E: An elliptic curve defined over a finite field
GF(q), whereqis a prime power;
• n: A large prime;
• P1, P2: Two base points in the elliptic curve
with large ordern;
• h(·): A secure one-way hash function;
• PW: A password shared between the client and the server;
• k: The bits concatenation.
When the client wants to exchange the secret in-formation with the server, both of them encrypt the plaintext by the session key they generated. The pass-wordP W is used to authenticate each other because only they themselves know the shared password. The proposed protocol is divided into the key agreement
phase and the key confirmation phase. The protocol between the client and server is described as follows and showed in Figure 1.
Key Agreement Phase:
A1. The client chooses a random integerdc∈[1, n− 1], and sendsQcto the server, whereQc =dc· P1+P W·P2.
A2. After receiving the registered requirement Qc
from a client, the server chooses a random inte-gerds∈[1, n−1]and computesQs=ds·P1as
well asQc0 =Qc−P W·P2. Finally, the server
sendsQskh(Keys, Qc0)to the client where the
keyKeys=ds·Qc0.
A3. The client obtains the keyKeyc by computing Keyc =dc·Qs. Then, he verifies Equation (1).
If it holds, the client will continue to execute the next phase, the key confirmation phase. Other-wise the client will reject the shared keyKeyc.
h(Keyc, dc·P1) =? h(Keys, Qc0). (1)
Key Confirmation Phase:
B1. The client repliesh(Keyc, Qs)to the server.
B2. Finally, the server verifies Equation (2). If it holds, the server will accept the key, otherwise the server will reject it.
h(Keys, ds·P1) ?= h(Keyc, Qs). (2)
After passing through the key agreement phase, the session key is made by h(dc ·ds·P1)and it is
proved as follows:
Session Key =h(Keyc) =dc·Qs =dc·ds·P1
=ds·dc·P1
=h(Keys).
3. The Proposed Protocol
Client Server
-Random integerdc∈[1, n−1] Random integerds∈[1, n−1]
(A1)Qc=dc·P1+P W·P2 (A2)Qs=ds·P1
Q0c=Qc−P W·P2
Keys=Q0c·ds Qc
Qskh(Keys, Q0c)
(A3)Keyc=Qs·dc
Check:
h(Keyc, dc·P1) ?= h(Keys, Q0c)
(B1) IfEq. (2) holds, then
sendsh(Keyc, Qs) h(Keyc, Qs)
(B2) Check:
h(Keys, ds·P1) ?= h(Keyc, Qs)
Session Key=h(Keyc) =h(Keys) =h(dc·ds·P1)
Fig. 1. The password-authenticated key exchange protocol between client and server
3.1. Initial Setup
The two communication parties share a password
P Wbefore the protocol runs. Both of them compute the integer P W−1 before using it later, where the
P W−1is calculated in the fieldZ
nandnis a prime.
3.2. Key Agreement Phase
A1. The client chooses a random integerdc∈[1, n− 1], computesQc=dc·P1+P W·P2, and sends
Qcto the server.
A1’. In the meantime, the server chooses a random integerds∈[1, n−1], computesQs=ds·P1+
P W−1·P2, and sendsQsto the client.
A2. After receivingQs, the client computesQs0 = Qs−P W−1·P2and obtains theKeycby
com-putingKeyc =dc·Qs0.
A2’. After receivingQc, the server computesQc0 = Qc−P W·P2to obtain theKeys=ds·Qc0.
3.3. Key Confirmation Phase
B1. The client sends Vc = h(Keyc, Qs0) to the
server. TheVc is a hash value and composed of KeycandQs0.
B1’. The server sends Vs = h(Keys, Qc0) to the
server. TheVsis a hash value and composed of KeysandQc0.
B2. The client verifies Equation (3). If it holds, the client can get the session keySKc =h(Keyc),
otherwise it will be rejected.
Vs ?= h(Keyc, dc·P1). (3)
B2’. The server checks Equation (4). If it holds, the server can get the session keySKs=h(Keys),
otherwise it will be rejected.
Vc ?= h(Keys, ds·P1). (4)
Client Server
Random integerdc∈[1, n−1] Random integerds∈[1, n−1]
(A1)Qc=dc·P1+P W·P2 (A1’)Qs=ds·P1+P W−1·P2
Qc
Qs
(A2)Q0s=Qs−P W−1·P2
Keyc=dc·Q0s
(A2’)Q0c=Qc−P W·P2
Keys=ds·Q0c
(B1)Vc=h(Keyc, Q0s) (B1’)Vs=h(Keys, Q0c)
(B2)Vs ?= h(Keyc, dc·P1)
SKc=h(Keyc)
(B2’)Vc ?= h(Keys, ds·P1)
SKs=h(Keys) Vc
Vs
SessionKey=h(Keyc) =h(Keys) =h(dc·ds·P1)
Fig. 2. The password-authenticated key exchange protocol in parallel processing environment
StepsB1andB10can be executed at the same time, and Steps B2 and B20 can be executed simultane-ously as well. Evidently, our protocol speeds up the session key generation by using the parallel process-ing mechanism without the waitprocess-ing time.
In addition, we can make some minor modifica-tions to increase the performance. If the client and the server store the value ofP W·P2andP W−1·P2in
their storage, the number of the elliptic curve multi-plication can be reduced to two times. Considering the light-weight client, the valuesdc andQc can be
pre-determined and stored in advance to improve the efficiency. Therefore, the client requires the less time-consuming.
4. Discussions and Security Analysis
In this section, the requirements and attacks anal-yses of the proposed protocols are presented. 4.1. Requirements of the Key Agreement Protocol
The key agreement protocol should satisfy the following requirements. We show that our protocol meets the requirements.
1. Session Key Security.
Only the communication client and the server have
the same session key. In our protocol, the session key is generated by the random numbers chosen by both parities individually, and the random numbers are also protected by the ECDLP and the common password. When an attacker guesses a passwordpw0to obtain a valueQ00c = Qc−pw0·P2, it is hard to obtain the
dc from the pointQ00c due to the ECDLP. Also, it is
very difficult to derive thedsfrom theQs. Therefore,
the session key is only known by the communication client and the server.
2. Mutual Authentication.
The client and the server can authenticate each other to make sure that they are communicating with the right party. When the protocol runs at Step B2, the client can authenticate the server by Equation (3) be-cause only the correct server has the sharedP W for computing the messageQsandVs. Also, the server
authenticates the client by Equation (4). Therefore, the protocol has the property of the mutual authenti-cation.
3. Perfect Forward/Backward Secrecy. When a session key is compromised, the attacker can-not derive any previous/following session key. The in-teger dc chosen by the client and ds chosen by the
we can guarantee that the session key is unique in every session. All session keys are not related, so the PPAKE protocol does not have any perfect for-ward/backward security problem.
4. Known-key Security.
The known-key security should guarantee that the session key produced by every session is unique. The client chooses random numberdcand the server
chooses random numberdsindividually in every
ses-sion to have a distinguishable sesses-sion keyh(dc·ds· P1), so each session has a unique session key.
5. Key Control Security.
For security reason, the session key cannot be chosen by client or server [20]. In our protocol, the session key,h(Keyc) =h(Keys) =h(dc·ds·P1), is
com-puted by the numberdc chosen by the client andds
chosen by the server. Therefore, neither one can de-terminate the session key alone. The session key is determined by both communication parties.
4.2. Attacks Analyses
We show that the proposed protocol can resist the following four attacks.
1. Man-in-the-middle Attack.
The Man-in-the-middle Attack is one in which an at-tacker makes independent connections with the client and server, and controls the entire conversation by re-laying messages between them. In our protocol, the attacker cannot know the pre-shared password, so he only can blindly forge a message. Without the pass-word, the attacker cannot computeQ0c orQ0sand de-rive theKeysorKeyc. Therefore, he only can give
a mess message instead of the correctVc orVs. Of
course, the mess message will be detected at StepB2
orB20, so the man-in-the-middle attack cannot suc-ceed.
2. Password Guessing Attack.
The password guessing attack is that an adversary guesses the password on-line or off-line. It is very easy to detect the on-line password guessing attack by counting the number of guessing. But the off-line guessing attack is more difficult to prevent. The adversary intercepts {Qc = dc ·P1+P W ·P2},
{Qs=ds·P1+P W−1·P2}, {Vc=h(Keyc, Q0s)}
and {Vs=h(Keys, Q0c)} in the communication. The
adversary guesses a password P W0 and computes
Q0c = Qc−P W0 ·P2. However, he cannot derive
theds or dc due to the elliptic curve discrete
loga-rithm problem (ECDLP), so he cannot have the cor-rectKeysorKeycto compare the messageVcorVs.
Therefore, it is difficult to guess the password off-line by an adversary.
3. Impersonation Attack.
The impersonation attack is that an adversary
imper-sonates one of the communication parties in order to use the service he wishes. In our protocol, the adver-sary can successfully impersonate any one communi-cation party only if he has the pre-shared password. However, it is difficult to obtain the password from the intercepted message over Internet. If the adver-sary can obtain the flaw messages, he should face to solve ECDLP if he wants to compute theP W from
Qc. Without theP W, he cannot compute theKeysto
pass through the key confirmation phase. Besides, the
Keysis also protected by the one-way hash function
when the adversary has the message Vs. Therefore,
the impersonation attack can be prevented in PPAKE protocol.
4. Reflection Attack.
The reflection attack is a serious problem in the par-allel processing mechanism. The attack indicates that when an adversary re-sends the message generated by one party and may pass through the verification phase. If the attacker intercepts the message Qc = dc·P1+P W ·P2from the legal client and re-send
Qc instead ofQsandVc instead ofVs to the client,
the client will reject the connection in the key con-firmation phase. The way that the client finds out the confliction is stated as follows:
(A2)Q0s =Qc−P W−1·P2
= (dc·P1+P W·P2)−P W−1·P2.
Keyc =dc·Q0s
=dc·(Qc−P W−1·P2)
=dc·(dc·P1+P W·P2−P W−1·P2).
(B1)Vc =h(Keyc, Q0s). (B2)Vs =h(Keyc, Q0s)
=h(Keyc,(dc·P1+P W ·P2−P W−1·P2))
6
=h(Keyc, dc·P1).
Therefore, our protocol can resist the reflection at-tack.
5. Conclusions
The PPAKE protocol is introduced in this arti-cle. It is a parallel protocol for generating a session key between two parties and is less time-consuming by parallel processing. We showed that it reaches the requirements of key agreement protocol and is secure enough to be used.
If the client and the server store the values of
P W·P2andP W−1·P2in the storage, the executing
Therefore, the PPAKE protocol is a good choice of key agreement protocol in the wireless environments or Internet.
Acknowledgement
This work was supported in part by the Taiwan Information Security Center (TWISC) and the Na-tional Science Council under the grants NSC95-2218-E-001-001, and NSC95-2218-E-011-015.
References
[1] W. Diffie, M. E. Hellman.New directions in cryp-tography.IEEE Transactions on Information Theory, 1976, IT-22 (6), 644 - 654.
[2] M.-S. Hwang, J.-W. Lo, C.-H. Liu.Enhanced of key agreement protocols resistant to a denial-of-service at-tack.Fundamenta Informaticae, 2004, 61 (34), 389 -398.
[3] E. J.-L. Lu, M.-S. Hwang.An improvement of a sim-ple authenticated key agreement algorithm.Pakistan Journal of Applied Sciences, 2002, 2 (1), 64 - 65. [4] E. J.-L. Lu, C.-C. Lee, M.-S. Hwang.
Cryptanaly-sis of some authenticated key agreement protocols. In-ternational Journal of Computational and Numerical Analysis and Applications, 2003, 3 (2), 151 - 157. [5] M. Bellare, D. Pointcheval, P. Rogaway.
Authenti-cated key exchange secure against dictionary attacks. in: Advances in Cryptology - EUROCRYPT’00, 2000, 139 - 155.
[6] S. M. Bellovin, M. Merritt.Encrypted key exchange: Password-based protocols secure against dictionary at-tacks.in: Proceedings of 1992 IEEE Computer Society Conference on Research in Security and Privacy, 1992, 72 - 84.
[7] O. Goldreich, Y. Lindell.Session-key generation us-ing human passwords only,in: Advances in Cryptol-ogy, CRYPTO’01, Lecture Notes in Computer Science, 2001, 2139, 408 - 432.
[8] W.-S. Juang, J.-L. Wu.Efficient user authentication and key agreement with user privacy protection. Inter-national Journal of Network Security, 2008, 7 (1), 120 - 129.
[9] J. Katz, R. Ostrovsky, M. Yung.Efficient password-authenticated key exchange using human-memorable passwords, in: Proceedings of EUROCRYPT’2001, Austria, Lecture Notes in Computer Science, 2001, 2045, 475 - 494.
[10] C. C. Lee, T. C. Lin, M. S. Hwang. A key agree-ment scheme for satellite communications.Information Technology And Control, 2010, 39 (1), 43 - 47. [11] J. L. Tsai. Weaknesses and improvement of
Hsu-Chuang’s user identification scheme.Information Tech-nology And Control, 2010, 39 (1), 48 - 50.
[12] K. Kobara, H. Imai. Pretty-simple password-authenticated key-exchange protocol proven to be se-cure in the standard model. IEICE Transactions on
Fundamentals of Electronics, Communications and Computer Sciences, 2002, E85-A (10), 2229 - 2237. [13] T. C. Lin.Algorithms on elliptic curves over fields
of characteristic two with non-adjacent forms. Interna-tional Journal of Network Security, 2009, 9 (2), 117 -120.
[14] D. Yong, Y. F. Hong, W. T. Wang, Y. Y. Zhou, and X. Y. Zhao.Speeding scalar multiplication of elliptic curve over GF(2mn).
International Journal of Net-work Security, 2010, 11 (2), 70 - 77.
[15] S. A. Vanstone.Next generation security for wireless: elliptic curve cryptography. Computers and Security, 2003, 22 (5), 412 - 415.
[16] C.-C. Yang, T.-Y. Chang, M.-S. Hwang. A new anonymous conference key distribution system based on the elliptic curve discrete logarithm problem. Com-puter Standards & Interfaces, 2003, 25 (2), 141 - 145. [17] T.-Y. Chang, C.-C. Yang, C.-M. Chen.
Improve-ment on pretty-simple password authenticated key-exchange protocol for wireless networks.Informatica, 2004, 15 (2), 161 - 170.
[18] A.-F. Sui, L. C. Hui, S. Yiu, K. Chow, W. Tsang, C. Chong, K. Pun, H. Chan. An improved authen-ticated key agreement protocol with perfect forward secrecy for wireless mobile communication. IEEE Wireless Communications and Networking Conference, 2005, 4, 2088 - 2093.
[19] D. E. Comer.Computer networks and Internets, 5th Edition.Pearson Prentice Hall, 2008.
[20] C. Mitchell, M. Ward, P. Wilson. Key control in key agreement protocols. Electronics Letters, 1998, 34 (10), 980 - 981.
